CN104160677B - For realizing apparatus arrangement and the method for the data transmission network used in the Long-distance Control of assets - Google Patents

Abstract

In long-range control method according to the present invention, between the home control network key of the tele-control system in assets and home control network equipment, set up VPN (virtual private network).In order to set up VPN (virtual private network), both home control network key and home control network equipment all determine the data transmission network that is connected to from them their network path (201) to internet.Determined network path stores in (202) home control network server on the internet.When expecting to form VPN (virtual private network), home control network server provides stored network path to home control network key and home control network equipment.By utilizing the network path received, home control network key and their known some transfer of data establishment of connection methods of home control network equipment use start to set up VPN (virtual private network) (55) between which.

Description

For realizing apparatus arrangement and the method for the data transmission network used in the Long-distance Control of assets

The present invention relates to the method for the data transmission network needed for the remote-controllable actuator for being provided in assets.

Remote-controllable control equipment and systems grow are installed in assets and family manyly.The object of system protects and/or safeguard the such condition in assets, and making lives wherein is not only safe but also comfortable.The wide range of Long-distance Control or remote supervisory and control(ling) equipment.Same assets can have the equipment from some suppliers.These equipment usually can not direct communication each other.It is also very common that each system has its operation logic, and the Long-distance Control of operation logic needs the use of specific data communications solutions.

Building service supplier orders for its oneself target by being client from operator recently, individually the additional connection of cost deal with problems very in general manner coming, this additional connection comprises some target and specifically arranges feature and must be safeguarded individually via telephone network or broadband network, and this broadband network can be that permanent wireless 2G/3G network broadband connects.Most of supplier has been found that this is this moment for their the easiest operator scheme, even if it comprises some problem point.

If for this target provides new additional connection, then usually must reach an agreement with regard to the manager of data communication problem and local Intranet separately.Intranet manager may have to carry out complementary network configuration for this connection, and making to set up long-range connection can be successful.

People also can utilize special solution to attempt the long-range use solved target.Therefore, equipment supplier can buy its oneself radio net from operator and this radio net, form private APN (APN), and private APN (APN) is determined in GPRS(General Packet Radio Service) and the access of HSDPA(high-speed downlink packet) access of/HSUPA(High Speed Uplink Packet) data communication in network arranges.By using APN to arrange, via wireless 2G/3G/4G network Internet connection is supplied to the equipment in target.In such circumstances, user must be respectively this connection and be the interface modem that realizes its long-range use and program defrayment.Usually so additional connection can not maybe can not be thought more than a kind of application target and be used, such as, for building the long-range use of the equipment that service supplier provides.In addition, nowadays operator is limited in the maximum that in such connection, data are transmitted usually, and it can cause the large surcharge for connecting owner when being exceeded.

In the house owner group type target with some assets, assets can be connected to " the long-range use " that occur in the Intranet that only formed between assets.If remote contact user is in other place except in the assets in question in Intranet physically, then can not obtain real remote contact for such target.

The new encrypted data transmission required for Long-distance Control layout that the object of this invention is to provide the technical equipment in assets is arranged, the Internet connection wherein existed in assets and family similarly utilizes in the long-range use to building service and supervision.Use according to data communication establishment of connection method of the present invention, the connection of the target of assets is changed to and is apply equally to long-range use.Intranet in the function existed that data network in the target connects and target does not change.

Object usage data of the present invention transmission establishment of connection method realizes, and the contact details that the home control network key of people of monitoring being wherein arranged on the home control network equipment in assets in a fixed manner and realizing assets receives from home control network server according to the present invention based on them set up safe being bi-directionally connected on the internet.Home control network equipment connection in the assets that will be connected to by the equipment of Long-distance Control or remote monitoring in assets to the data network interface equipment/network terminal in assets, such as modulator-demodulator.

The current IP address of home control network equipment and home control network key are maintained in home control network server related to the present invention, and this IP address is for setting up connection between the devices.Due to connection establishment method according to the present invention, described equipment can be connected to certain individual, unshared network, and the safety data transmission that they can still be based upon in the middle of them on the internet connects.Advantageously, described equipment certain some place in the established connection also obtains public IP address to be enough to the transfer of data be based upon on the internet between mobile household net control key with hard-wired home control network equipment and to be connected, even if home control network equipment and home control network key only have unshared IP address simultaneously.In a preferred embodiment of the invention, home control network server to equipment transmitting apparatus can IP address after, it does not participate in actual data transfer establishment of connection.

In assets according to the advantage of the transfer of data establishment of connection method utilized in tele-control system of the present invention be, two equipment of home control network equipment centering all can search for them from their placement location to the route of IP address of equipment of assets being connected to internet, and the route searched are stored identification right for equipment in independent home control network server on the internet and IP address.

Another advantage of the present invention is, each home control network equipment according to the present invention to formed independently in the middle of them predetermined Unique Device to or equipment group, it identifies each other in data transmission network to be set up.Due to this recognition methods, the home control network key that user carries or be arranged on computer program in some data processing equipments and be only connected setting up network with its oneself unique home net control equipment, and can not connect with other network equipment any, this computer program realizes the function of home control network key.

Another advantage of the present invention is, is connected being set up data link layer (layer 2) level independently according to direct bidirectional safe osi model (open systems interconnection reference model) or also have network layer (layer 3) DBMS to transmit with internet (VPN: VPN (virtual private network)) in the middle of them by the local network device of service by means of the address information of home control network server according to the equipment of tele-control system of the present invention.

Another advantage of the present invention is, home control network equipment connects also setting up safety data transmission by such fire compartment wall in the middle of them, and fire compartment wall sometimes changes its source or target port.

Method for building up according to the VPN (virtual private network) between two network terminals of home control network of the present invention is characterised in that,

-form both the right first network terminal of predetermined network terminal and second network terminal all every now and then poll to be sent to home control network server, the member that predetermined network terminal is right is only allowed and is communicated with one another, wherein home control network server is asked another right equipment of equipment whether connection data transmission network, and if, then

Both-first network terminal and second network terminal are connected to home control network server to set up VPN (virtual private network) and from home control network server request route information, so that the end-to-end transfer of data be based upon between the described network terminal connects.

-home control network server check out the network terminal be predetermined network terminal to afterwards, home control network server all sends asked routing iinformation to both first network terminal and second network terminal, and

-first network terminal and second network terminal use the some known method for building up starting end opposite end transfer of data establishment of connection process of VPN (virtual private network), to provide at least one VPN (virtual private network).

The home control network cipher key feature according to the present invention being connected to VPN (virtual private network) is, it can comprise processor, memory and computer program code stored therein, and it is configured to:

-every now and then poll is sent to home control network server, wherein it is asked home control network equipment and whether is connected to data transmission network, home control network equipment is determined in advance as the network terminal pair of home control network key, and home control network key is allowed to and home control network devices communicating, if and home control network equipment connection is to data transmission network, then:

-be connected to home control network server and from the routing iinformation of home control network server request home control network equipment, to be established to the VPN (virtual private network) of home control network equipment,

-routing iinformation of home control network equipment is received from home control network server, and

The some known method for building up starting end opposite end transfer of data establishment of connection process of-use VPN (virtual private network), to provide at least one VPN (virtual private network) with home control network equipment.

In assets according to the present invention and the home control network apparatus characteristic being connected to VPN (virtual private network) be, its processor, memory and computer code stored therein are configured to:

-every now and then poll is sent to home control network server, wherein it is asked home control network key and whether is connected to data transmission network, home control network key is determined in advance as the network terminal pair of home control network equipment, and home control network equipment is only allowed and home control network cipher key communication, if and home control network key is connected to data transmission network, then:

-be connected to home control network server and from the routing iinformation of home control network server request home control network key, to be established to the VPN (virtual private network) of home control network key,

-routing iinformation of home control network key is received from home control network server, and

The some known method for building up starting end opposite end transfer of data establishment of connection process of-use VPN (virtual private network), to provide at least one VPN (virtual private network) with home control network key.

The computer program according to the present invention utilized in home control network key is characterised in that, it comprises:

-for every now and then poll being sent to the code module of home control network server, wherein home control network server is asked home control devices and whether is connected to data transmission network, home control network key and home control devices form predetermined terminal pair, the right member of predetermined terminal be allowed to only with communicate with one another, if and home control network equipment connection is to data transmission network, then:

-for being connected to home control network server and from the routing iinformation of home control network server request home control network equipment to be established to the code module of the VPN (virtual private network) of home control network equipment,

-for receiving the code module of the routing iinformation of home control network equipment from home control network server, and

-for using the some known method for building up starting end opposite end transfer of data establishment of connection process of VPN (virtual private network) to provide the code module with at least one VPN (virtual private network) of home control network equipment.

The computer program according to the present invention utilized in home control network equipment is characterised in that, it comprises:

-for every now and then poll being sent to the code module of home control network server, wherein home control network server is asked home control network key and whether is connected to data transmission network, home control network equipment and home control network key form predetermined terminal pair, the right member of predetermined terminal be allowed to only with communicate with one another, if and home control network key is connected to data transmission network, then:

-for being connected to home control network server and from the routing iinformation of home control network server request home control network key to be established to the code module of the VPN (virtual private network) of home control network key,

-for receiving the code module of the routing iinformation of home control network key from home control network server, and

-for using the some known method for building up starting end opposite end transfer of data establishment of connection process of VPN (virtual private network) to provide the code module with at least one VPN (virtual private network) of home control network key.

Give favourable embodiments more of the present invention in the dependent claims.

Basic thought of the present invention is as follows: in order to realize the Long-distance Control in some assets, manufactured equipment right---home control network equipment and home control network key (equipment), wherein at least one home control network equipment and at least one home control network key (equipment) can only with set up safe transfer of data each other and be connected.Described home control network key (equipment) can be the independent electronic equipment manufactured in order to this object, or it also can be certain data processing equipment, wherein install according to computer program of the present invention, described program realizes home control network cipher key function.

To be arranged in the existing intranet networks in assets or internet network that will control by the home control network equipment in assets of Long-distance Control.It sets up a sub-network in Intranet or internet network---and control intranet networks, the various actuators that will control in assets use wired or wireless transfer of data to connect and are connected to control intranet networks.

In a favourable embodiment of the present invention, the equipment that independent home control network key or some home control network keys can play two or more home control network equipment in different assets is right.The cognizance code of home control network equipment and home control network key manufactures in conjunction with it and stores in the apparatus, or described equipment changes its cognizance code when their first times are connected such as its USB port place.By using cognizance code, home control network equipment and home control network key are set up bidirectional safe transfer of data between which and are connected.

In conjunction with startup, these two equipment determine that from its localized network this routing iinformation is needed for connection establishment until be connected to the routing iinformation of the equipment of the network terminal of internet.This routing iinformation be stored in be connected to internet according in home control network server of the present invention.When home control network key (equipment) thinks that foundation connects to the transfer of data that its equipment in certain assets is right via internet, the routing iinformation of its home control network equipment of the effect that its equipment is right from home control network server retrieval.By utilizing the routing iinformation obtained, home control network key starts direct end-to-end transfer of data establishment of connection process, is advantageously set up between home control network key and home control network equipment by the VPN (virtual private network) (VPN) of this process safety.In this foundation that transfer of data connects, use suitable Data Transport Protocol on demand.

Can attempt advantageously to set up end-to-end transfer of data connect first as based on TCP transfer of data connection or connect as the transfer of data based on UDP, allow if this is data transmission network parts between devices.

If the transfer of data set up connects to have change its source and/or target port once in a while to prevent the network components (such as fire compartment wall) of network attack, then also connect by using udp port scanning to attempt advantageously to set up end-to-end transfer of data in addition to those mentioned.Except udp port scanning, also can attempt also to connect by using ICMP agreement to set up end-to-end transfer of data.

If due to a reason or other reason, agreement above-mentioned can not be used to connect to set up direct end-to-end transfer of data, then set up the secure tunnel based on Transmission Control Protocol by the home control network server relevant with the present invention.In this embodiment, they not to the security message encryption that it receives, but are similarly directly delivered to receiving equipment by home control network server.If find that during the TCP relay connection of this foundation may set up VPN data transmission connects, then transfer of data advantageously changes to this another bidirectional end opposite end transfer of data connection.

When set up to be connected by the transmission of the immediate data of home control network server relaying or transfer of data connects time, the home control network key in assets and set up the transmission of direct VPN data between home control network equipment and connect.

To install according to home control network equipment of the present invention by the internal data transfer network of the assets of Long-distance Control between the existing internal data transfer network relevant with the control and management of assets and network terminal business being relayed to internet from assets.Control with assets the input that relevant all devices is connected to home control network equipment, and the output of home control network equipment is connected to the input of the Intranet equipment of the network terminal be intended to for relaying internet service.

In family control network system according to the present invention, home control network key is wirelessly or the equipment of the network terminal being connected by cable and connect and suitable data processing equipment.

In another embodiment in accordance with the invention, home control network key can be connected to certain data processing equipment, and it is connected to internet.Possible data processing equipment is such as PC, flat computer or smart phone.In this embodiment, such as the connection of home control network key to data processing equipment can be completed by means of LAN interface (local area network (LAN)), WLAN interface (WLAN), wan interface (wide area network), USB interface (USB) or antennal interface.

In a favourable embodiment of the present invention, the computer program realizing the function of home control network key is stored in portable data storage device (such as USB rod), and computer program can be installed to suitable data processing equipment from portable data storage device.The all functions of process simulation home control network key are in the data processing apparatus installed.

Hereinafter, the present invention will be described in detail.In this description, with reference to accompanying drawing, wherein:

Fig. 1 a illustrates that how can set up bidirectional data transfers according to the present invention between the client device of processing remote control and the independent control of assets or management equipment connects as an example,

Fig. 1 b illustrates according to another example of the present invention, sets up bidirectional data transfers and connect between the client device that wherein can control in processing remote and the independent control of assets or management equipment,

Fig. 2 illustrates the exemplary process diagram that the transfer of data between the equipment that how to be based upon in client device and assets connects,

Fig. 3 a illustrates the part steps comprised in step 201 in fig. 2 as an example,

Fig. 3 b illustrates the establishment step comprised in step 206 in fig. 2 as an example,

Fig. 4 illustrates according to home control network equipment of the present invention as an example,

Fig. 5 a illustrates according to home control network key of the present invention as an example,

Fig. 5 b illustrates according to another home control network key of the present invention as an example,

Fig. 6 illustrates according to home control network server of the present invention as an example, and

Fig. 7 illustrate utilize in family control network system according to articulamentum of the present invention.

Embodiment in the following description is only presented as an example, and those of skill in the art also can realize basic thought of the present invention with being different from some described in this description alternate manners.Can with reference to certain embodiment or some embodiment in some places although be originally described in, this does not also mean that with reference to will only incite somebody to action only available in a described embodiment for the embodiment described by or described characteristic.The independent characteristic of two or more embodiments capable of being combined, and therefore new embodiment of the present invention can be provided.

Fig. 1 a and 1b illustrates according to two of tele-control system of the present invention favourable embodiment 1A and 1B.In the example of Fig. 1 a and 1b, convert the data processing equipment 41c of home control network key or one family net control key 42 to by software, 42b connects for the transfer of data being established to the one family net control equipment 61 in same assets.Convert to according to the data processing equipment 41c of home control network key of the present invention or home control network key 42,42b but also can advantageously work together with the independent home control network equipment in two or more assets.

In two embodiments of Fig. 1 a and 1b, data transmission network mainly has identical basic network topology.In these two accompanying drawings, with Reference numeral 2, internet is shown.Certain common network or Intranet (Reference numeral 3) are also connected to Internet 2.Network 3 can be fixing or wireless data transmission network.In fig 1 a, first data transmission network 4---house of assets controls telecommunication network---is connected to network 3, and the client device (Reference numeral 41a) realizing Long-distance Control can be connected to house and control telecommunication network.In Figure 1b, home control network key 42b is connected to data processing equipment 41c, and it is connected to again common network/intranet networks 3.

When home control network equipment 61 or home control network key 42,42b are connected to its oneself local data transfer network, poll is sent to the home control network server 21 belonging to tele-control system by every now and then, so that whether the corresponding device finding out it is connected to network.If corresponding device is connected to its oneself data transmission network and becomes obvious from the reply that home control network server 21 sends, then two members that equipment is right start the process of establishing of VPN (virtual private network) (VPN data transmission connects) by process described below.

Indicating with Reference numeral 5 in Fig. 1 a and 1b will by the house Intranet in the assets of Long-distance Control.Second data transmission network 6---house controls Intranet---is connected to house intranet networks 5.In assets will by the actuator 62-65 of Long-distance Control be connected to house control Intranet.

To those of skill in the art clearly, at home control network equipment 61 according to the present invention and/or home control network key 42, also can have than the more sub-network shown in Fig. 1 a and 1b between 42b or 41c and Internet 2.

In the example of Fig. 1 a and 1b, according to second network terminal of the present invention---home control network equipment 61(HCND)---be connected to house intranet networks 10.0.0.0/24(Reference numeral 5).House intranet networks 5 uses the network terminal 51 to be connected to Internet 2.The network terminal 51 can be router, modulator-demodulator or fire compartment wall, and it also can comprise network address translater NAT.In the example of Fig. 1 a and 1b, house Intranet 5 is comprising the fire compartment wall FW1(Reference numeral 51 of nat feature) after.The public IP address of the fire compartment wall FW1 in the example of Fig. 1 a and 1b is 240.1.1.2.In house Intranet 5, the implicit IP address of fire compartment wall FW1 is 10.0.0.1.Two other data processing equipments exemplary are also connected to house intranet networks 5, and this two data processing equipments IP address in house intranet networks is 10.0.0.3 and 10.0.0.4.

House controls intranet networks 172.17.0.0/24(HCI) (Reference numeral 6) be connected to house intranet networks 5 via home control network equipment 61.The IP address that home control network equipment 61 controls in intranet networks in house is 172.17.0.1, and is 10.0.0.2 in house intranet networks.In the example of Fig. 1 a and 1b, four example devices/servers 62,63,64 and 65 are connected to house and control Intranet 6.Device/server can use permanent connection or Wireless Data Transmission connect and are connected to house control Intranet 6.

Reference numeral 62 illustrates Lighting control web server, and its IP address controlled in intranet networks in house is 172.17.0.5.For long-distance user, Lighting control web server 62 is counted as equipment HCND4.

Reference numeral 63 illustrates thermal control web server, and its IP address controlled in intranet networks in house is 172.17.0.4.For long-distance user, thermal control web server 63 is counted as equipment HCND1.

Reference numeral 64 illustrates surveillance camera web server, and its IP address controlled in intranet networks in house is 172.17.0.3.For long-distance user, surveillance camera web server 62 is counted as equipment HCND2.

Reference numeral 65 illustrates air-conditioning web server, and its IP address controlled in intranet networks in house is 172.17.0.2.For long-distance user, air-conditioning web server 65 is counted as equipment HCND3.

In the example of Fig. 1 a, according to first network terminal of the present invention---home control network key 42(HCNK)---be connected to house and control telecommunication network 172.17.0.0/24(Reference numeral 4).House controls the fire compartment wall FW2(Reference numeral 31 of telecommunication network 4 at Intranet 3) after.The public IP address of NAT fire compartment wall 31 is 240.2.1.2 in this example, and the implicit IP address of NAT fire compartment wall is 10.0.1.1.

House controls telecommunication network 172.17.0.0/24(HCRN) (Reference numeral 4) be connected to data transmission network 3 via home control network key 42 according to the present invention.The IP address of home control network key 42 is 10.0.1.2 and controls in telecommunication network in house to be 172.17.0.6 in intranet networks.In the example of Fig. 1 a and 1b, example data treatment facility 41a is connected to house and controls telecommunication network 4, and the IP address that data processing equipment controls in telecommunication network 4 in house is 172.17.0.7.When current prestige is remotely operatively connected to device/server 62,63,64 or 65 of house control intranet networks 6, this data processing equipment 41a is used.

According to the routing iinformation that home control network key 42 of the present invention and home control network equipment 61 need each other, to enable them set up transfer of data between which based on data link layer or layer Network Based to connect, be VPN data transmission connection 55 in the example of Fig. 1 a and 1b.Determined routing iinformation stores home control network server 21(HCNS on the internet by home control network key 42 according to the present invention and home control network equipment 61) in.

In the example of Fig. 1 a, NAT fire compartment wall not exclusively limits the UDP communication of outgoing.They are so-called NAT fire compartment wall in a state, and " having memory ", and this also can not change UDP(User Datagram Protoco (UDP) unpredictably) source port number that connects, if they are not necessarily talked about.In the example of Fig. 1 a, object is that the Ethernet level be based upon in a data link layer between home control network key 42 and home control network equipment 61 connects.

When according in the tele-control system 1A of Fig. 1 a time, expect to set up between devices belong to VPN (virtual private network) (VPN) transfer of data connect 55, then both equipment 42 and 61 all by corresponding device from home control network server 21 retrieve stored routing iinformation wherein.Before transfer routing iinformation, home control network server 21 checks out that it is actually the right problem of home control network key/home control network equipment of being allowed to.By means of retrieved routing iinformation, home control network key 42 and home control network equipment 61 are set up direct VPN between which and are connected.When VPN connection 55 completes, the data processing equipment 41a controlled in telecommunication network 4 in house can contact with the equipment 62,63,64 or 65 in house net control 6.

Connect become possibility to make to set up transfer of data, home control network key 42 and home control network equipment 61 must be determined from its network path at least to Internet 2 of their network.Hereinafter, described network route information is referred to by term routing iinformation.This network path determines that the following manner that can such as advantageously utilize with home control network key 42 and home control network equipment 61 is made.

In the example of Fig. 1 a, network route is determined by home control network key 42 and home control network equipment 61.Found network path is stored in home control network server 21 by these equipment, and they store in its memory by home control network server 21.

According to home control network key 42 of the present invention and home control network equipment 61, also advantageously there is the ability determining free net space.Described Equipments Setting becomes by utilizing the network route information in home control network server 21 to come automatically for they oneself determine available network space.Described device request home control network server 21 provides some free parts of cyberspace.Home control network server 21 checks the network path that it receives and returns certain network block, and wherein even neither one address is referred in the network path of any equipment known thus.

Home control network equipment 61 also in its oneself sub-network 4 and 6 for the equipment being connected to these sub-networks advantageously provides DHCP and DNS service.In addition, home control network key 42 and home control network equipment 61 work the default gateway of the equipment being connected to sub-network.

Fig. 1 b illustrates according to another tele-control system 1B of the present invention.In Figure 1b, the data processing equipment 41c utilized by user is connected to the data transmission network described with Reference numeral 3.The embodiment part that the embodiment of Fig. 1 b is different from Fig. 1 a is that the function of the home control network key 42 of Fig. 1 a home control network key 42b comprising USB storage 42e replaces, and home control network key 42b can be connected to the data processing equipment 41c utilized by client.In this embodiment, data processing equipment 41c and equipment 42b plays home control network key jointly.

In another favourable embodiment of the present invention, realize being installed to data processing equipment 41c according to the computer program of the function of home control network key of the present invention.By usb memory stick being attached to the USB port in data processing equipment 41c, come such as from usb memory stick, computer program to be advantageously stored in data processing equipment 41c.For those of skill in the art clearly, certain other prior art data storage device also can be used as the storage device of computer program.In this embodiment, data processing equipment 41c uses the computer program simulation be arranged on wherein according to home control network key of the present invention.

In the example of Fig. 1 b, the home control network key 42 of Fig. 1 a is wholly or partly simulation in the data processing equipment 41c of user.User uses browser and this simulation softward to contact in its data processing equipment 41c, or alternately, simulation softward is open any browser window in data processing equipment 41c.By starting to start simulation according to simulation program of the present invention in data processing equipment 41c, this simulation program is by all functions of software simulating physics home control network key 42.

In this embodiment, by all functions utilizing the data processing equipment 41c of user to realize the home control network key 42 of Fig. 1 a---communication, startup and connection establishment, thus, according to the physically separated home control network key 42 of Fig. 1 a to the equipment be established in assets to 61 connection be unwanted.

If due to the above-described direct vpn tunneling of certain reason be based upon present in Fig. 1 a and 1b home control network key 42, be not successful between 42b or 41c and home control network equipment 61 or it is only once in a while successfully (such as, if network components changes source and/or target port once in a while), then Long-distance Control arranges other access protocal that composition graphs 3b can be utilized to describe.In addition in this case, for client device user, tele-control system works in the mode identical with the tele-control system presented in Fig. 1 a or Fig. 1 b.

Here is the example according to the operation of tele-control system 1A of the present invention in the example of Fig. 1 a.

Home control network equipment 61:

Home control network equipment 61 is such as by being connected to 10.0.0.0/24 network (house Intranet 5) by cable attachment to the WAN port of home control network equipment 61.Home control network equipment 61 uses dhcp process automatically to retrieve its IP and arranges.Fire compartment wall FW1 in house intranet networks 5 advantageously plays Dynamic Host Configuration Protocol server, and the IP address 10.0.0.2 in 24 bit netmasks (255.255.255.0) is given home control network equipment 61 by this fire compartment wall.Dynamic Host Configuration Protocol server also gives default router address 10.0.0.1 and dns server address 10.0.0.1.

Home control network equipment 61 is by finding out that by means of dns server the IP address (HCNS, dns address etahallinta.fi) of home control network server 21 starts communication.IP address is that 240.1.1.1 gives home control network server 21 by dns server 10.0.0.1.

Home control network equipment 61 uses TCP or udp protocol to carry out contacting 240.1.1.1 with home control network server 21 on the internet.The certificate that home control network equipment 61 uses combination manufacture to determine and/or password carry out the mutual operation authority of certification and home control network server 21.This transfer of data connects such as use SSL/TLS encryption and is advantageously encrypted.Home control network server 21 sees the public IP address of home control network equipment 61 from the connection entered, and it is 240.1.1.2 in the example of Fig. 1 a.Its address and netmask (10.0.0.2/24) are informed to home control network server 21 by home control network equipment 61.This information is stored in its Tosibox database by home control network server 21.

The traceroute that home control network equipment 61 also advantageously performs for home control network server 21 operates, and found network path is reported to home control network server 21.The network path received of home control network equipment 61 is stored in its Tosibox database by home control network server 21.

Then home control network equipment 61 also advantageously performs ICMP and records routing operations, and by found Routing Reports to home control network server 21.The route received from home control network equipment 61 is stored in its Tosibox database by home control network server 21.

Thereafter, home control network equipment 61 performs automatically determining of free net space by inquiry is sent to home control network server 21.In the example of Fig. 1 a and 1b, cyberspace 172.17.0.0/24 is turned back to home control network equipment 61 by home control network server 21.

Home control network equipment 61 utilizes cyberspace to its Intranet 6, and home control network equipment 61 gets 172.17.0.1 as its oneself IP address.Home control network equipment 61 notifies that home control network server 21 is about this utilization, and information is stored in its Tosibox database by server.

In Fig. 1 a and 1b, home control network equipment 61 is shown as its oneself specific installation, and its sub-network setting up it is for controlling the equipment in assets.To those of skill in the art clearly, the function of home control network equipment 61 can be integrated into a part for computerization or housing project equipment, and computerization or housing project equipment have enough processors and memory span and for using wired data transfer to be connected or Wireless Data Transmission connects the jockey various technique device being connected to computerization or housing project equipment.

Home control network key 42:

In the example of Fig. 1 a, the WAN port of home control network key 42 is connected to 10.0.1.0/24 network (data transmission network 3).Home control network key 42 is from Dynamic Host Configuration Protocol server retrieval IP address information, and fire compartment wall FW2 plays Dynamic Host Configuration Protocol server (Reference numeral 31).Home control network key obtains IP address 10.0.1.2.The address of the default router 31 of home control network key 42 is 10.0.1.1, and the address of dns server 31 is 10.0.1.1, and it obtains from Dynamic Host Configuration Protocol server.

Home control network key 42 is by finding out that by means of dns server the IP address (HCNS, dns address hcns.fi) of home control network server 21 starts communication.In the example in figures 1 and 2, dns server 10.0.1.1 provides the IP address of 240.1.1.1 as home control network server 21.

Thereafter, home control network key 42 mainly uses udp protocol secondly to use Transmission Control Protocol to contact the home control network server 21 on the 240.1.1.1 of address on the internet.Home control network key 42 uses pre-assigned certificate and/or password to carry out the mutual operation authority of certification and home control network server 21.This transfer of data connects such as use SSL/TLS encryption and is advantageously encrypted.Home control network server 21 sees the public IP address 240.2.1.2 of home control network key 42 from the connection entered.Its address and netmask 10.0.1.2/24 are informed to home control network server 21 by home control network key 42 in addition.This information is stored in its Tosibox database by home control network server 21.

Then, home control network key 42 performs traceroute operation, and found network path is reported to home control network server 21, and information is stored in its Tosibox database by home control network server 21.

Home control network key 42 also advantageously performs ICMP and records routing operations, and found network path is reported to home control network server 21, and information is stored in its Tosibox database by home control network server 21.

The routing iinformation that home control network server 21 inspection receives, if and existence is overlapping, then they are reported to home control network key 42 by home control network server 21, and home control network key 42 performs automatically determining of free net space where necessary again.

Data processing equipment 41c is as home control network key:

According in the embodiment 1B of Fig. 1 b, home control network key 42 can replace with the data processing equipment 41c of home control network key 42b or user, and the computer program comprising the function of home control network key is stored from suitable data storage device (such as usb memory stick).Described home control network key 42b advantageously can comprise the so-called electronic equipment that USB connects.In the embodiment of Fig. 1 b, the above-mentioned functions of home control network key 42 is performed by the computer program be installed to from usb memory stick in the data processing equipment 41c of user.

According in the embodiment of Fig. 1 b, can in conjunction with the pairing manufacturing or determine at final utilization target place home control network key 42b and home control network equipment 61.If pairing is determined to complete at final utilization target place, then home control network key 42b is temporarily being connected to home control network equipment 61 according in the embodiment of Fig. 1 b.This connection is advantageous by the USB port of equipment or realize via wireless radio network.

Via coupling, home control network key 42b and home control network equipment 61 can receive the right cognizance code of its equipment, and its cognizance code is sent to its equipment pair.Thereafter, these two equipment can only with set up transfer of data each other and be connected.

Advantageously realize the transmission of home control network cipher key calculation machine program to the user terminal 41c of user as follows.

When home control network key 42b is temporarily attached by its connection to data processing equipment 41c, be installed in (Reference numeral 42e) in the data processing equipment 41c of user in being included in the computer program in the home control network key 42b with its independent cognizance code.In conjunction with this installation, the user of data processing equipment 41c is asked the defencive function whether he wants to utilize equipment and/or program.If expect to activate defencive function, then in this case, home control network key installation procedure request user is only to the data processing equipment 41c of user or to installed program or the password giving him if necessary to both.

If expected; home control network key and its program, separately cognizance code also can such as be stored on the internal network server that is well protected together with password; as necessary; it can move back to new home control network key (such as, if primary key equipment is destroyed or loses) from internal network server.

In advantageous embodiment of the present invention, the program be included in home control network key 42b also can be stored on some data processing equipment 41c together with its cognizance code, and therefore these data processing equipments 41c can work with the first data processing equipment concurrently.

In advantageous embodiment of the present invention, the computer program be included in home control network key 42b such as also can be positioned on the server on internet, and it can be retrieved from this server.In the embodiment that this is favourable, the home control network key 42b of physics itself can only include identification equipment to required cognizance code.

Fig. 2 exemplarily property flow chart illustrates the operation according to long-range control method of the present invention after home control network key 42 or 42b match together with home control network equipment 61.

When home control network equipment 61 or home control network key 42,42b are connected to its oneself local data transfer network, it/poll (so-called carry out poll) is sent to the home control network server 21 belonging to tele-control system by every now and then, so that the corresponding device finding out it is to whether being connected to network.If corresponding device becomes obvious to being connected to its oneself data transmission network from the reply that home control network server 21 sends, then the process that two members that equipment is right pass through to describe after a while starts the process of establishing of VPN (virtual private network) (VPN data transmission connection).

In step 200, home control network equipment 61 is connected to house intranet networks 5, and the data processing equipment 41c of home control network key 42 or support or analog family net control key 4ab is also advantageously connected to intranet networks 3.Permanent to connect or wireless connections be connected to home control network equipment 61 to be used by all devices of Long-distance Control in assets.

In step 201, both data processing equipment 41c of home control network equipment 61 and home control network key 42,42b or analog family net control key 41c determine that they arrive the network path of home control network server 21, if their current network routing information is not up-to-date.Be shown in further detail the process used in step 201 in fig. 3 a.

In step 302, both data processing equipment 41c of home control network equipment and/or home control network key 42,4a or analog family net control key store their determined network path in home control network server 21, if up-to-date network route information can be determined.

In step 203, what will be utilized in Long-distance Control receives following message according to equipment 42 of the present invention, 42a or 41c and 61: their equipment is to registering to home control network server 21 or registering omission.If belong to equipment to one of the latest network routing information according to equipment 42 of the present invention, 42b or 41c and 61 omit, then tele-control system 1A or 1B move to specified delay 212 after home control network server connection intercepting and checking step 213.

When connection establishment starts, both home control network key 42/42b and home control network equipment 61 ask the latest network routing information of counterparty in step 204 from home control network server 21.Home control network server 21 checks out that it is the right problem of the predetermined equipment be allowed to, and network route information is sent to these two equipment by step 205 after check.Thereafter, home control network server 21 is discharged into the connection of these two equipment 42/42b and 61, and therefore it is no longer a part for the vpn tunneling 55 just formed.

In step 206, home control network key 42/42b/42c and home control network equipment 61 form vpn tunneling 55 between which.Describe in more detail the part steps comprised in step 206 in fig 3b.

In step 207, both client device 41a or 41c of the user in assets and target device 62-65 are connected to set up VPN.

In the embodiment of Fig. 1 a, the client device 41a of user is connected to VPN by home control network key 42.In the embodiment of Fig. 1 b, the home control network key 42b being connected to the data processing equipment 41c of user is one of end points of VPN.The equipment 62-65 of Long-distance Control that will be subject in the target be connected to VPN by home control network equipment 61.

In a step 208, client device 41a or 41c of user and the equipment 62-65 that will control in assets is the part of same VPN, and thus, they can exchange message among each other.After the delay specified in tele-control system, step 209 comprises and checks that transfer of data between client device 41a or 41c and target device 62-65 connects and whether remain movable.If it is movable that transfer of data connects, then process turns back to step 208, and transfer of data is allowed to continue.

If it is no longer movable for finding that VPN connects in step 209, then make the decision about the possible new try when connecting in step 210.

If determine in step 210 to carry out new try when connecting, then process branches is to step 214.In step 214, check whether member knows the latest network path of counterparty.If network route information is up-to-date, then process branches is to step 205, wherein home control network server the latest network routing information of counterparty is sent to for set up vpn tunneling according to equipment of the present invention.

If one of discovery network path details is omitted or is not up-to-date in step 214, then process turns back to step 201, is wherein updated according to the determination of the network route information of one or two in equipment of the present invention.

In this substitutes, process advantageously also comprises the necessary process connected for discharging VPN, makes can be successfully updated according to connection procedure of the present invention itself.Connection establishment is attempted according to predetermined quantity.

If determine that the new try setting up VPN connection will no longer be made in step 210, because the connection establishment of having carried out predetermined quantity attempts or undesirably set up VPN due to certain other reason connecting, then process moves to step 211.In step 211, the VPN data transmission network used is discharged.This is the situation such as when home control network key is closed.

After VPN data transmission network is released, ensue in the process that predetermined delay 212 utilizes in tele-control system 1A or 1B.After delay 212, process moves to the listening functions 213 of home control network server.Connection request is sent to home control network server 21 by least current home control network equipment 61 carried every now and then there.

Home control network equipment 61 advantageously sends connection request, until latest network routing information is sent to it by home control network server 21.When network route information is received, VPN establishment of connection process starts in step 201.

Be branched off into step 212 also to occur from step 203.This network route information at one or two equipment occurs when can not be determined and be stored in home control network server.In addition, this branch of process turns back to step 201 after step 231 and 214, and at least one equipment wherein participating in Long-distance Control is attempted determining its network route information and it being stored in home control network server 21.

Describe in more detail the search procedure used in step 201 in fig. 3 a.

In step 2011, utilize DHCP agreement (DHCP), can retrieve data treatment facility network interface IP arrange.Use dhcp process available setting at least to comprise the IP address of data processing equipment, netmask, default gateway and dns server (domain name system), it converts domain name to IP address.

The traceroute process utilized in step 2012 is the instrument using ICP/IP protocol, and it finds out grouping moves to determined machine by which route or network path.In traceroute process, the data transmission set being connected to network finds out network path by the lifetime value (TTL) adding grouping, and it is started from scratch and once sends a lifetime value (TTL).

Find out that network path generally occurs in the following manner.Data processing equipment uses ttl value " 0 " that the IP of certain destination address had in external network grouping is sent to default gateway.The expired message of default gateway TTL makes response to this.The IP address, delay etc. of such as default gateway become clear from this message.

Thereafter, data processing equipment uses ttl value " 1 " that the IP of certain destination address had in external network grouping is sent to default gateway.Router after default gateway uses message " TTL is expired " to make response again, and from this message, the IP address of this follow-up (second) router becomes clear.This transmission/response process continues by increasing ttl value, until arrive expectation target.When internet, generally arrive final goal when ttl value is 6-15.Final result is, the network path of the external world (such as internet) known by data processing equipment.

ICMP agreement (Internet Control Message Protocol) can be utilized when finding out external address.In ICMP process, use the record routing label that ICMP divides into groups, in the title that the operating system of the equipment of this mark request on network path is divided into groups at ICMP, record sends the IP address of router.

Fig. 3 b illustrates the foundation that realizes vpn tunneling and some in the connection establishment process 2060-2064 utilized in step 206 in fig. 2.In fig 3b, optional connection establishment process is illustrated as the parallel procedure that simultaneously utilizes.But the invention is not restricted to this embodiment, but connection establishment process also can be implemented as continuous print connection establishment process according to application by rights.In this embodiment, even if after a connection establishment of vpn tunneling, also not necessarily attempt utilizing other connection establishment method.

The example of Fig. 3 b illustrates five of vpn tunneling possible method for building up.Reference numeral 2060 is used to illustrate by using Transmission Control Protocol to set up vpn tunneling.If the element of the communication network between home control network equipment and home control network key allows connection establishment, then it is found out in step 2060a.If can not connect, then advantageously again attempt connection establishment.

Reference numeral 2061 is used to illustrate by using udp protocol to set up vpn tunneling.If the element of the communication network between home control network equipment and home control network key allows connection establishment, then it is found out in step 2061a.If can not connect, then advantageously again attempt connection establishment.

Reference numeral 2062 is used to illustrate by using the udp port scanning described after a while to set up vpn tunneling.If the element of the communication network between home control network equipment and home control network key allows connection establishment, then it is found out in step 2062a.If can not connect, then advantageously again attempt connection establishment.

Reference numeral 2063 is used to illustrate by using the ICMP process described after a while to set up vpn tunneling.If the element of the communication network between home control network equipment and home control network key allows connection establishment, then it is found out in step 2063a.If can not connect, then advantageously again attempt connection establishment.

Reference numeral 2064 is used to illustrate by using the TCP relay processes described after a while to set up vpn tunneling.Advantageously, when the communication network element between home control network equipment and home control network key does not allow to utilize this process during setting up of direct end-to-end vpn tunneling.In addition in this process, in step 2060a, find out that safe transfer of data connects whether to be established successfully between home control network equipment and home control network key.If can not connect, then advantageously again attempt connection establishment.

The VPN data transmission that each connection establishment process 2060-2064 may be provided between home control network equipment 61 and home control network key 42 or 42b connects.In step 2069, select one or more vpn tunneling, it is used as transfer of data and connects.

Service routine order realizes all process steps shown in Fig. 2,3a and 3b, and program command is performed in suitable universal or special processor.Program command is stored on the storage medium (such as memory) that utilized by home control network equipment 61 and home control network key 42, and processor can be retrieved from this storage medium and realize them.Such as also particular component can be comprised, such as USB flash memory able to programme, logic array (FPLA), application-specific integrated circuit (ASIC) (ASIC) and signal processor (DSP) to mentioning of computer-readable medium.

By the example using udp protocol to set up vpn tunneling, the Reference numeral 2061 in the layout of Fig. 1 a:

Home control network key 42 starts the process of matching.Its notifies home control network server 21, and it wants that the transfer of data advantageous by using udp protocol to be established to home control network equipment 61 connects.Home control network server 21 determines that the transfer of data of asking connects and should use port numbers below to set up:

-home control network key: UDP source port 10500, UDP target port 10501, target ip address 240.1.1.2

-home control network equipment: UDP source port 10501, UDP target port 10500, target ip address 240.2.1.2

Home control network server 21 by this information reporting to home control network key 42 and home control network equipment 61.

Thereafter, UDP grouping is sent at source port 10500 to the address 240.1.1.2 on target port 10501 by home control network key 42.The grouping sent by comprising the fire compartment wall FW2 of nat feature because outgoing traffic is not limited consumingly.FW2 fire compartment wall 31 remember UDP grouping as within ensuing X second with contact details 10.0.0.2,240.1.1.2,10500 and 10501 connection.

UDP grouping arrives the FW1 fire compartment wall of being in before front yard net control equipment 61, and this fire compartment wall does not allow the business that enters and it loses grouping.Divide into groups not arrival address 10.0.0.2.

UDP grouping is sent at source port 10501 to the address 240.2.1.2 on target port 10500 by home control network equipment 61.The UDP sent divides into groups by FW1NAT fire compartment wall 51, because outgoing traffic is not limited.FW1 fire compartment wall 51 remember UDP grouping as within ensuing X second with contact details 10.0.0.2,240.2.1.2,10501 and 10501 connection.

UDP grouping arrives FW2 fire compartment wall 31.FW2 fire compartment wall 31 is remembered that IP address 10.0.1.2 has been established to and is connected at the UDP of source port 10500 with the address 240.1.1.2 on target port 10501.Because UDP grouping come comfortable source port 10501 and to described source address 240.2.1.2, the FW2 fire compartment wall 31 on target port 10500 by packet interpretation for relevant with the connection that equipment 10.0.1.2 sets up returns communication.Fire compartment wall FW2 thereafter executive address changes operation.The destination address that UDP divides into groups is changed into 10.0.1.2 by it.Thereafter, FW2 fire compartment wall 31 by UDP Packet routing to address 10.0.1.2.Now, home control network key 42 is from home control network equipment 61 receipt message.Connect from home control network equipment 61 to the one-way data transfer of home control network key 42 and exist now.

Now, UDP grouping is sent at source port 10500 to the address 240.1.1.2 on target port 10501 by home control network key 42.UDP grouping arrives FW1 fire compartment wall 51.FW1 fire compartment wall 51 is remembered that IP address 10.0.1.2 has been established to and is connected at the UDP of source port 10501 with the address 240.2.1.2 on target port 10500.Because UDP grouping comes on comfortable source port 10501 and to described source address 240.2.1.2, the FW2 fire compartment wall 51 of target port 10500 by received packet interpretation for relevant with the connection that equipment 10.0.0.2 sets up returns communication.FW1 fire compartment wall 51 executive address changes, that is, the destination address of grouping is changed into 10.0.0.2.Thereafter, FW1 fire compartment wall 51 routes the packet to address 10.0.0.2.

Now, the two-way UDP between home control network key 42 and home control network equipment 61 connects existence.These equipment can bidirectionally communicate each other.Home control network equipment 61 and home control network key 42 use such as OpenVPN software to advantageously generate data link layer level vpn tunneling between which.

The house that home control network equipment 61 advantageously makes created vpn tunneling 55 and it manage controls telecommunication network 172.17.0.0/24(Reference numeral 6) bridge joint.In an identical manner, home control network key 42 makes created vpn tunneling 55 and its LAN multi-port bridge, so it can be provided in the Intranet interface in network 172.17.0.0/24 in data link layer level.After such manipulations, house control telecommunication network 4 and house control Intranet 6 and form special VPN by Internet 2.

By the example using udp port scanning to set up vpn tunneling, the Reference numeral 2062 in the layout of Fig. 1 a:

If an element in data transmission network changes source or target port once in a while, then udp port scanning can be utilized.The step of method described below is different from each other according to following truth: change the element of source or target port once in a while whether before transmission or receiving member.

1. scan on source port:

51, fire compartment wall before home control network equipment 61 changes the source address sending grouping, and source port does not change.

Home control network equipment 61 starts to send the UDP grouping with following message: source port 5000, source IP10.0.0.2, Target IP 5.5.5.5, target port such as between 1024->1054 (30 different source port).The data (payload) of each UDP grouping comprise selected target port, such as 1024.By means of this, it is known in the receiving end, and the grouping sent goes to this port through fire compartment wall 31.

The transmission frequency advantageously 200 milliseconds of UDP grouping.First such as, source port 1024 sends UDP grouping, in 200ms, on source port 1025, sends another UDP divide into groups, etc.After in the end a source port 1054 have sent UDP grouping (after about 6 seconds), home control network equipment 61 sends UDP grouping with identical order again from source port 1024.

Thereafter, home control network key 42 also starts to send the UDP grouping with following message: source IP10.0.1.2, Target IP 6.6.6.6, target port 5000, source port such as between 1024->65535 (64511 different source port).The transmission frequency advantageously 50 milliseconds of UDP grouping.That is, first such as, source port 1024 sends UDP grouping, in 50ms, on source port 1025, sends another UDP divide into groups, etc.The payload of each UDP grouping comprises used source port, such as 1024.Which source port is this information change at it through which that can be used for identifying in the source port that uses during NAT fire compartment wall 51.

Object is during this step, and the UDP grouping sent by home control network key 42 is by fire compartment wall 51, or the UDP grouping sent by home control network equipment 61 is by the fire compartment wall 31 of home control network key 42.When one or the other in equipment see UDP grouping safely by time, make for the source port that UDP divides into groups to be marked as the position that comes from identical the response that this UDP is divided into groups.Thereafter, VPN establishment of connection can be started.

The transmission of grouping continues, until make connection work or cancel connection establishment.

2. scan on target port:

NAT fire compartment wall 31 before home control network key 42 changes source address and the source port of the packet sent.Generally, source port changes once in a while, and such as source port 1024 can such as change over source port 16431.

Home control network key 42 starts to send the UDP grouping with following message: source port 5000, source IP10.0.1.2, target port 6.6.6.6, source port such as between 1024->1054 (30 different source port).The data (payload) of each UDP grouping comprise source port, such as 1024.By means of this, it is known in the receiving end, and the UDP sent from source port divides into groups through fire compartment wall 31.

The transmission frequency advantageously 200 milliseconds of UDP grouping.First such as, source port 1024 sends UDP grouping, in 200ms, on source port 1025, send UDP grouping, etc.After in the end a source port 1054 sending UDP grouping (after about 6 seconds), home control network key 42 sends UDP grouping with identical order again from source port 1024.

Thereafter, home control network equipment 61 starts to send the UDP grouping with following message: source IP10.0.0.2, Target IP 5.5.5.5, source port 5000, target port such as between 1024->65535 (64511 different target port).The transmission frequency advantageously 50 milliseconds of grouping.First, UDP is grouped on target port 1024 and is sent out, and is sent out in 50ms on target port 1025, etc.The payload of each UDP grouping comprises the target port used by grouping, such as 1024.Which target port is this information change at it through which that can be used for identifying in the target port that uses during NAT fire compartment wall 31.

Object is during this step, the UDP grouping sent by home control network key 42 is by the fire compartment wall 51 before home control network equipment 61, or the UDP grouping sent by home control network equipment 61 is by the fire compartment wall 31 before home control network key 42.When one of equipment see UDP grouping by time, for grouping seem that the identical source port come from makes the response to this grouping.

The transmission of grouping continues, until make connection work or cancel connection establishment.

In two kinds of situations above-mentioned, VPN establishment of connection can start as follows:

The ternary port of use is connected with VPN:

-the source port (host1_real_source_port) that used by home control network equipment 61.

-the source port changed by the NAT fire compartment wall 51 of home control network equipment, it is identical with the target port (host1_translated_source_port) used by home control network key 42.

-the target port (host2_real_source_port) that used by home control network key 42.

Home control network equipment 61 is opened VPN and is connected:

-Target IP 6.6.6.6

-source port host1_real_source_port

-source port host2_real_source_port

Home control network key 42 is opened VPN and is connected:

-Target IP 5.5.5.5

-source port host2_real_source_port

-target port host1_translated_source_port

Both NAT fire compartment walls 31 and 51 are all thought to be connected and are set up from its oneself Intranet, and thus, UDP is attached across NAT fire compartment wall 31 and 51 and is routed.

By the example using ICMP agreement to set up VPM tunnel, the Reference numeral 2063 in the layout of Fig. 1 a:

If the network element in data transmission network allows communicating of ICMPECHO with ICMPECHOREPLY type grouping, then can utilize the control protocol of IP agreement.

ICMP method 1: permanent ICMPECHOID:

When the fire compartment wall in data transmission network is not made a response to TTL stale messages, this embodiment is possible.

Home control network key 42 sends the IP grouping with following message via router one 0.0.1.1: Target IP 6.6.6.6, source IP10.0.1.2, TTL1, type i CMP, ICMP type ECHOREQUEST, ID1234, sequence 1, and the payload of grouping is empty.

The grouping sent is through NAT fire compartment wall 31, and thus, the source IP change->5.5.5.5 of grouping, the TTL of grouping changes 1->0.NAT fire compartment wall 31 is remembered, use No. ID 1234, source IP10.0.1.2 changes over 1 echo request.

Router (not illustrating in fig 1 a) in Internet 2 receives IP grouping, and the Exemplary IP addresses of this router is 3.1.1.1, and the TTL that this IP divides into groups is 0.This router " ICMPTTL life span is expired " message back fire compartment wall 31.

Message that fire compartment wall 31 receives " ICMPTTL life span is expired ", but but it is not made a response.

Home control network equipment 61 sends the IP grouping with following message by router one 0.0.1.1: Target IP 5.5.5.5, source IP10.0.0.2, TTL255, type i CMP, ICMP type ECHOREPLY, ID1234, sequence 1, and the payload of grouping advantageously comprises 30-1400 byte of VPN traffic.

The ICMPECHO sent divides into groups through fire compartment wall 51, thus, and the source IP change->6.6.6.6 of grouping.ICMP grouping arrives fire compartment wall 31.Fire compartment wall 31 remembers that the request with No. ICMPECHOID 1234 is comparatively early sent out.Fire compartment wall 31 remembers that the transmit leg of asking is equipment 10.0.1.2.Grouping is routed to address 10.0.1.2 by fire compartment wall 51 further.The Target IP of grouping changes 5.5.5.5->10.0.1.2.

Home control network key 42 receives ICMPECHO grouping, and therefore the grouping of free form data is successfully sent to home control network key 42 by home control network equipment 61.

Respectively, home control network key 42 continues to send ICMPECHOREQUEST grouping, and home control network equipment 61 continues to send ICMPECHOREPLY message.Home control network key 42 and home control network equipment 61 form one-way data transfer and connect between they are own.

Then, home control network key 42 and home control network equipment 61 also form another reverse ICMP and are connected.This connection is established as mentioned above.The direction of connection establishment is only had to change.At the end of connection establishment process, home control network equipment 61 receives the ICMP grouping sent by home control network key 42, and the payload of this grouping advantageously comprises 30-1400 byte of VPN traffic.

Home control network key 42 and home control network equipment 61 continue as mentioned above to sending request each other.Therefore, be bi-directionally connected and be present in now between home control network key 42 and home control network equipment 61.ECHOREPLY message comprises the TLS coded communication that VPN connects, and the direct VPN of penetrating NAT fire compartment wall 31 and 51 is connected between home control network key 42 and home control network equipment 61 and is successfully formed.

ICMP method 2: variable ICMPECHOID:

Transfer of data connects the network element can with new ICMPECHOREQUEST with that mode process TTL message (life span is expired) being necessity, and such as fire compartment wall, makes ICMPECHOREPLY to pass through.Thus each " TTL is expired " message " exhausts (eat) " position of an ICMPECHOREPLY grouping.When such network element sees " TTL is expired " message, it no longer by " ICMPECHOREPLY " Message routing to target.

The difference of the situation of the method and permanent ICMPECHOID is, ICMPECHOID is different each ICMPECHOREQUEST and ICMPECHOREPLY grouping centering.ICMPECHOREQUEST and ICMPECHOREPLY right transmission of dividing into groups synchronously occurs on the basis of time, ICMPECHOREQUEST and ICMPECHOREPLY is sent out substantially simultaneously.Thus ICMPECHOREQUEST leaves the NAT fire compartment wall sending component, and the ICMPECHOREPLY of miscellaneous equipment arrives on same fire compartment wall afterwards.

Advantageously, large value is used as ttl value, makes before fire compartment wall receives " TTL is expired " or " mistake ", " ICMPECHOREPLY " from the fire compartment wall of the other end, and ICMPECHOREQUEST grouping will stop on the way as far as possible longly.

The example of this IMPCECHO method in the case of figure 1 a hereinafter:

Home control network key 42 sends the IP grouping with following message via router one 0.0.0.1: Target IP 6.6.6.6, source IP10.0.1.2, TTL255, type i CMP, ICMP type ECHOREQUEST, ID1000, sequence 1, and the payload of grouping is empty.

Meanwhile, home control network equipment 61 sends the IP grouping with following message: Target IP 5.5.5.5, source IP10.0.0.2, TTL255, type i CMP, ICMP type ECHOREPLY, ID1000, sequence 1.The payload of grouping comprises numeral " 2000 " at its start-up portion, then follows the transmission frequency (such as 500ms) of asking of ICMPECHOREQUEST, and is thereafter advantageously for the VPM be freely formed of 30-1400 byte communicates.

The ICMPECHOREQUEST grouping sent by home control network key 42 is through NAT fire compartment wall 31.Thus the source IP change->5.5.5.5 divided into groups.NAT fire compartment wall 31 is remembered, when No. ID 1000, source IP10.0.0.2 becomes an ICMPECHOREQUEST.

Meanwhile, the ICMPECHOREQUEST grouping sent by home control network equipment 61 is through NAT fire compartment wall 51.Thus the source IP change->6.6.6.6 divided into groups.NAT fire compartment wall 51 is remembered, when No. ID 1000, source IP10.0.0.2 becomes ICMPECHOREQUEST.

The ICMPECHOREQUEST sent is grouped in Internet 2 and " passes " each other, that is, two to be grouped in the network of operator simultaneously all on the way.

ICMPECHOREQUEST grouping arrives fire compartment wall 51, and fire compartment wall 51 is replied it.The result of replying is not obvious, because sent the ICMPECHOREPLY sent by home control network equipment 61 before the ICMPECHOREPLY grouping sent by fire compartment wall 51.If ICMPECHOREQUES grouping do not replied by fire compartment wall 51, this is also inessential.

The ICMPECHOREPLY grouping sent by home control network equipment 61 arrives fire compartment wall 31.Fire compartment wall 31 is remembered, the ICMPECHO grouping with No. ID 1000 is comparatively early sent.Fire compartment wall 31 is remembered, the transmit leg of request is equipment 10.0.1.2.Grouping is routed to address 10.0.1.2 by the Target IP 5.5.5.5->10.0.1.2 changing grouping by fire compartment wall 31 further.

Home control network key 42 receives ICMP grouping, and therefore the ICMP of free form data grouping is successfully sent to home control network key 42 by home control network equipment 61.

Then, home control network key 42 and home control network equipment 61 also form another reverse ICMP and are connected.This connection is established as mentioned above.The direction of connection establishment is only had to change.At the end of connection establishment process, home control network key 42 receives grouping, and it is advantageously the VPN traffic of 30-1400 byte that the payload of this grouping comprises.

It is right that home control network equipment 61 and home control network key 42 continue to send ICMPECHOREQUEST and ICMPECHOREPLY grouping, and each ICMP is divided into groups to having different ECHOID.Therefore, exceed message by fire compartment wall 31 and 51 ICMPECHOREPLY or the TTL life spans sent not hinder and communicate.

First home control network equipment 61 and home control network key 42 are set up by means of independent home control network server 21 and in the beginning of the payload of dividing into groups at ICMPECHOREPLY when being directly connected to transfer of data each other and are arranged No. ECHOID and transmission frequency in the middle of them.In the beginning of ICMPREPLY grouping, in each grouping, notify ECHOREQUESTID before being sent by corresponding equipment and the transmission frequency of request of ECHOREQUEST being divided into groups by equipment.Therefore, two equipment all know that ECHOID needs to be sent out in next ECHOREQUEST divides into groups, and when next ECHOREQUEST needs to be sent out.If such as in ECHOREPLY grouping, the transmission frequency of asking is 500ms, then, always when divisible by the time from the moment of connection establishment in units of millisecond 500, the ECHOREQUEST that equipment just sends it divides into groups.

By the example using Transmission Control Protocol to set up vpn tunneling, the Reference numeral 2064 in the layout of Fig. 1 a:

Auxiliary TCP relay connection is working corresponding in any meaning that other connects the data security of (such as normal directly UDP connect) between both devices.Be connected with the VPN of used TCP Relay Server and do not open, but encryption occurs in the terminal equipment connected.Make a forcible entry into TCP Relay Server and can not destroy set up VPN connection, and the equipment of mistake can not be connected to according to home control network key of the present invention by cheating.

The example that TCP relay connection is set up:

The public IP address of home control network key 42 is 5.5.5.5, and the public IP address of home control network equipment 61 is 6.6.6.6, and the public IP address of TCP Relay Server (home control network server 21) is 7.7.7.7.

Home control network key 42 is made address 7.7.7.7 and is connected with the TCP to its port 443.TCP Relay Server is seen asked connection and is accepted it.TCP shake hands generation and TCP channel open.The unique information (such as connection ID) connected is sent to TCP Relay Server along TCP channel by home control network key 42.

TCP Relay Server receive information, and by means of this can after a while by received connecting link to correct home control network equipment 61.

Home control network equipment 61 is made address 7.7.7.7, is connected to the TCP of port 443.TCP Relay Server is seen asked connection and is accepted it.TCP shake hands generation and TCP channel open.The unique information (such as connection ID) connected is sent to TCP Relay Server along TCP channel by home control network equipment 61.

TCP Relay Server receives information, and by means of this, TCP Relay Server knows which home control network key 42 home control network equipment 61 will be connected to after a while.

TCP Relay Server starts between TCP connects, to send message between home control network key 42 and home control network equipment 61.TCP Relay Server always connects reading data from the TCP of home control network key 42, and the TCP similarly data being sent to home control network equipment 61 connects.Correspondingly, TCP Relay Server reads data from the connection of home control network equipment 61, and the TCP similarly data of reading being sent to home control network key 42 connects.Transfer of data bidirectionally continues, and is interrupted until another TCP connects.When another TCP connection is interrupted, another TCP connection is also interrupted by TCP Relay Server.

Fig. 4 illustrates the function critical piece according to home control network equipment 61 of the present invention.Home control network equipment 61 has power supply 621.It can be storage battery or the power supply based on main current (mainscurrent).All electric components of home control network equipment obtain their operating voltage from power supply 621.

Home control network equipment 61 has one or more processor 622.Processor or processor device can comprise ALU, a different set of register and control circuit.Computer-readable information or program or user profile can be stored data storage arrangement 623(such as memory cell or storage arrangement thereon) be connected to processor device.Storage arrangement 623 generally comprises permission reading and the memory cell (random access memory, RAM) both write-in functions and comprises the memory cell (read-only memory, ROM) that only therefrom can read the nonvolatile memory of data.All programs needed for the operation of device register, the certificate be utilized in VPN establishment of connection, current network routing information and home control network equipment 61 are advantageously stored in described storage arrangement.

Some examples being stored in the program in the memory of home control network equipment 61 are operating system (such as Linux), TCP/IP program, VPN program (such as OpenVPN), dhcp client device/server program (such as ISCDHCP), dns server program (such as dnsmasq), database program (such as SQLite), remote control program (such as OpenSSH), certificate management/confirmation program (such as GPG) and user interface storehouse (such as LuCI).

Home control network equipment 61 also comprises interface element, and it comprises I/O for receiving or send information or input/output device 624,625,626,627 and 628.The information using input unit to receive is transmitted to be processed by the processor device 622 of home control network equipment 61.The interface element of home control network equipment by information transmission to data transmission network or external data processing device.Interface element advantageously WAN port 624, one or more LAN port 625, antenna port 626, USB port 627 and the control port 628 of home control network equipment 61.The pairing of home control network equipment 61 and home control network key 42 or 41c can advantageously such as come via USB port 627.

To those of skill in the art clearly, the function of home control network equipment 61 can be integrated into a part for computerization or housing project equipment, and computerization or housing project equipment have enough processors and memory span and for using wired data transfer to be connected or Wireless Data Transmission connects the jockey various technique device being connected to computerization or housing project equipment.This computerized equipment (wherein the function of integrated home control network equipment) is connected to certain data transmission network 5, there is the access from this data transmission network 5 pairs of public the Internet.

Fig. 5 a illustrates the function critical piece according to home control network key 42 of the present invention.Home control network equipment 42 has power supply 421.It can be storage battery or the power supply based on main current.All electric components of home control network equipment obtain their operating voltage from power supply 421.

Home control network key 42 can comprise one or more processor 422.Processor or processor device can comprise ALU, a different set of register and control circuit.Computer-readable information or program or user profile can be stored data storage arrangement 423(such as memory cell or storage arrangement thereon) be connected to processor device.Storage arrangement 423 generally comprises permission reading and the memory cell (random access memory, RAM) both write-in functions and comprises the memory cell (read-only memory, ROM) that only therefrom can read the nonvolatile memory of data.All programs needed for the operation of the certificate that will be utilized in VPN establishment of connection, current network routing information and home control network key 42 are advantageously stored in described storage arrangement.

Some examples being stored in the program in the memory of home control network key 42 are operating system (such as Linux), TCP/IP program, VPN program (such as OpenVPN), dhcp client device/server program (such as ISCDHCP), dns server program (such as dnsmasq), database program (such as SQLite), remote control program (such as OpenSSH), certificate management/confirmation program (such as GPG) and user interface storehouse (such as LuCI).

Home control network key 42 also comprises interface element, and it comprises I/O for receiving or send information or input/output device 424,425,426,427 and 428.The information using input unit to receive is transmitted to be processed by the processor device 422 of home control network key 42.The interface element of home control network equipment by information transmission to data transmission network or external data processing device.Interface element advantageously WAN port 424, one or more LAN port 425, antenna port 426, USB port 427 and the control port 428 of home control network equipment 42.

Fig. 5 b illustrates the function critical piece of home control network key 42b according to a second embodiment of the present invention.Home control network key 42b according to this embodiment can comprise one or several cipher processor 422b.Processor or processor device can comprise ALU, a different set of register and control circuit.Cipher processor 422b advantageously comprises internal memory unit, wherein stores independent special purpose system key.

Computer-readable information or program or user profile can be stored data storage arrangement 423b(such as flashing storage unit or storage arrangement thereon) be connected to processor device.Storage arrangement 423b generally comprises permission reading and the memory cell (random access memory, RAM) both write-in functions and comprises the memory cell (read-only memory, ROM) that only therefrom can read the nonvolatile memory of data.The identifying information of home control network key 42b, its current network path, the certificate that will be utilized in VPN establishment of connection, current network routing information, all programs needed for operation of identifying information and home control network key 42b that play the right home control network equipment 61 of its equipment are advantageously stored in described storage arrangement.

Some examples being stored in the program in the memory of home control network key 42b are operating system (such as Linux), TCP/IP program, VPN program (such as OpenVPN), dhcp client device/server program (such as ISCDHCP), database program (such as SQLite), certificate management/confirmation program (such as GPG) and user interface storehouse (such as LuCI).

Home control network key 42 also comprises interface element, and it comprises I/O for receiving or send information or input/output device 426b.The information using input unit to receive is transmitted with the processor device 422b process by home control network key 42b.The interface element of home control network equipment is advantageously used in the information transmission of the memory 423b from home control network key to external data processing device 41c or home control network equipment 61.Correspondingly, information or order such as can be received from data processing equipment via interface element, and home control network key 42b is connected to this data processing equipment.

About their access rights rank, there is above-mentioned home control network key 42 or the 42b of at least two ranks, such as keeper and elemental user rank key devices.Higher access rights level keys equipment user/owner (such as keeper) has the control authority of all control objectives to more low-level home control network cipher key user (such as elemental user).On the other hand, the control objectives of any other access rights rank higher than the target of himself can not be accessed compared with the owner of low level key devices access rights rank.

Fig. 6 illustrates the function critical piece of home control network server 21.Home control network server 21 advantageously also plays TCP Relay Server.Home control network server 21 comprises power supply 611.It can be storage battery or the power supply based on main current.All electric components of home control network server 21 obtain their operating voltage from power supply 611.

Home control network server 21 has one or more processor 212.Processor or processor device can comprise ALU, a different set of register and control circuit.Computer-readable information or program or user profile can be stored data storage arrangement 613(such as memory cell or storage arrangement thereon) be connected to processor device.Storage arrangement 613 generally comprises the memory cell (random access memory, RAM) of permission both write functionality and comprises the memory cell (read-only memory, ROM) that only therefrom can read the nonvolatile memory of data.The right current network routing information of the right identifying information of equipment in tele-control system (Tosibox register), each equipment, set up will equipment to and Tosibox database between the VPN data transmission of setting up connect needed for all programs be advantageously stored in described storage arrangement.

Some examples being stored in the program in the memory of home control network server 21 are operating system (such as Linux), TCP/IP program, Dynamic Host Configuration Protocol server/client device program (such as ISCDHCP), dns server program (such as bind), database program (such as SQLite), certificate management/confirmation program (such as GPG) and user interface storehouse (such as LuCI).

Home control network server 21 also comprises interface element, and it comprises I/O for receiving or send information or input/output device 614.The information using input unit to receive is transmitted to be processed by the processor device 612 of home control network server 21.The interface element of home control network server by information transmission to data transmission network or external data processing device.The interface element advantageously WAN port 614 of home control network server 21.

Home control network server 21 advantageously also comprises user interface (not shown in figure 6), and it comprises the device for receiving information from the user of server 21.User interface can comprise keyboard, touch-screen, smart phone and loud speaker.

Fig. 7 illustrates the data link layer (Tosibox layer) utilized in home control network equipment 61, home control network key 42, transfer of data between 42b and home control network server 21.

Physics Tosibox layer comprises substituting the physical data transfer connection be based upon between two equipment participating in Long-distance Control.Transfer of data connects can such as by setting up the device coupled at their ethernet port place to the local ethernet network had to the connection of internet.Alternately, transfer of data connection can be established in the wlan network of local, there is the connection from local wlan network to internet.3rd to substitute be form 2G or 3G transfer of data to connect.In this embodiment, the terminal equipment setting up 2G or 3G connection is connected to the USB port of home control network equipment and/or home control network key.

Tosibox data link layer comprises can transmit with VPN data the connection establishment process utilized in the grouping of butt coupling.To substitute or the direct tcp data transmission comprised between components of parallel connection establishment process connects, direct UDP message transmission between components connects, connected by the transfer of data using TCP to set up, connects based on the transfer of data of ICMPECHO message between components, or by relay data transmission connection that home control network server (TCP relaying component) is set up.

VPN encryption layer comprises the known ciphering process of home control network equipment 61 (individual of home control network key, private code key and common key key) and home control network key 42, ciphering process that 42b is known (individual of home control network equipment, private code key and PKI).Use these ciphering process, home control network equipment 61 can be connected by using PKI ciphering process (PKIX) to set up safe VPN data transmission with home control network key 42,42b.

Described above is some processes utilized when setting up and connecting according to the VPN data transmission of tele-control system of the present invention.In addition, the advantageous embodiment of the parts realizing these processes in tele-control system is described.The invention is not restricted to above-described solution, and inventive concept set forth can be applied by a lot of mode within the scope of the claims.

Claims (16)

1. one kind for being provided in the long-range control method of the VPN (virtual private network) (55, VPN) between the first network terminal (42,42b) of the actuator of the tele-control system in assets and second network terminal (61), it is characterized in that

-form the right described first network terminal (42 of predetermined network terminal, 42b) and both described second network terminal (61) poll is sent to home control network server (21) all every now and then, the member that described predetermined network terminal is right is only allowed and is communicated with one another, whether another equipment that wherein said home control network server is asked equipment right is connected to data transmission network, and if, then

-described first network terminal (42,42b) the two is all connected (201) to described home control network server (21) to set up VPN (virtual private network) and to ask (204) routing iinformation from described home control network server (21) with described second network terminal (61), so that the end-to-end transfer of data be based upon between the described network terminal connects

-check out the described network terminal (42 in described home control network server, 42b, 61) be that described predetermined network terminal is to afterwards, described home control network server (21) is to described first network terminal (42,42b) the two sends the routing iinformation (205) of (205) asking with described second network terminal (61), and

-described first network terminal (42,42b) and described second network terminal (61) use the some known method for building up starting end opposite end transfer of data establishment of connection process of VPN (virtual private network), to provide at least one VPN (virtual private network) (55).

2. long-range control method as claimed in claim 1, it is characterized in that, described VPN (virtual private network) is as at the network terminal (2060, direct tcp data transmission 2060a) connects, as at the network terminal (2061, direct UDP message transmission 2061a) connects, by being used in the network terminal (2062, udp port scanning 2062a), by utilizing the ICMPECHO message (2063 of IP control protocol, 2063a) or use via described home control network server (21) relaying tcp data transmission connect (2064, 2064a) set up.

3. long-range control method as claimed in claim 2, is characterized in that, if also use the other method setting up VPN (virtual private network) to establish described VPN (virtual private network) (55), then discharges the virtual TCP dedicated network of at least relaying.

4. one kind for the home control network key devices (42,42b) of the actuator in assets, comprising:

-network interface component, it comprises the input/output device (424,425,426,426b, 427,428) for network interface (3,4),

-processor (422,422b), and

-memory (423,423b), it comprises computer program code,

It is characterized in that, described processor, described memory and described computer program code stored therein are configured to:

-poll is sent to home control network server (21) every now and then, wherein it is asked home control network equipment (61) and whether is connected to data transmission network, described home control network equipment is determined in advance as home control network key devices (42, the network terminal pair 42b), described home control network key devices (42,42b) be only allowed to and described home control network devices communicating, and if described home control network equipment connection to described data transmission network, then:

-connect (201) to described home control network server (21) and from described home control network server (21) request (204) described home control network equipment (61) routing iinformation, to be established to the VPN (virtual private network) of described home control network equipment (61)

-the described routing iinformation of described home control network equipment (61) is received from described home control network server (21), and

The some known method for building up starting end opposite end transfer of data establishment of connection process of-use VPN (virtual private network), to provide at least one VPN (virtual private network) (55) with described home control network equipment (61).

5. home control network key devices as claimed in claim 4, it is characterized in that, it is configured to set up VPN (virtual private network) and connects (2060 as the direct tcp data transmission to described home control network equipment (61), 2060a), set up VPN (virtual private network) and connect (2061 as the direct UDP message transmission to described home control network equipment (61), 2061a), by using udp port scanning (2062, 2062a) set up the VPN (virtual private network) with described home control network equipment (61), by utilizing the ICMPECHO message (2063 of IP control protocol, 2063a) set up the VPN (virtual private network) with described home control network equipment (61), or be configured to set up the tcp data transmission connection (2064 being relayed to described home control network equipment (61) via described home control network server (21), 2064a).

6. home control network key devices as claimed in claim 5, is characterized in that, if it is configured to also use the other method setting up VPN (virtual private network) to establish described VPN (virtual private network) (55), discharges the virtual TCP dedicated network of at least relaying.

7. one kind for the home control network equipment (61) of the actuator in assets, comprising:

-network interface component, it comprises the input/output device (624,625,626,627,628) for network interface (5),

-processor (622), and

-memory (623), it comprises computer program code,

It is characterized in that, described processor, described memory and described computer program code stored therein are configured to:

-poll is sent to home control network server (21) every now and then, wherein it is asked home control network key devices (42,42b) whether be connected to data transmission network, described home control network key devices is determined in advance as the network terminal pair of home control network equipment (61), described home control network equipment (61) is only allowed to communicate with described home control network key devices, if and described home control network key devices is connected to described data transmission network, then:

-connect (201) to described home control network server (21) and from described home control network server (21) request (204) described home control network key devices (42, routing iinformation 42b), to be established to described home control network key devices (42, VPN (virtual private network) 42b)

-the described routing iinformation of described home control network key devices (42,42b) is received from described home control network server (21), and

The some known method for building up starting end opposite end transfer of data establishment of connection process of-use VPN (virtual private network), to provide at least one VPN (virtual private network) (55) with described home control network key devices (42,42b).

8. home control network equipment as claimed in claim 7, it is characterized in that, it is configured to set up VPN (virtual private network) as arriving described home control network key devices (42, direct tcp data transmission 42b) connects (2060, 2060a), set up VPN (virtual private network) as arriving described home control network key devices (42, direct UDP message transmission 42b) connects (2061, 2061a), by using udp port scanning (2062, 2062a) set up and described home control network key devices (42, VPN (virtual private network) 42b), by utilizing the ICMPECHO message (2063 of IP control protocol, 2063a) set up and described home control network key devices (42, VPN (virtual private network) 42b), or be configured to set up be relayed to described home control network key devices (42 via described home control network server (21), tcp data transmission 42b) connects (2064, 2064a).

9. home control network equipment as claimed in claim 8, is characterized in that, if it is configured to also use the other method setting up VPN (virtual private network) to establish described VPN (virtual private network) (55), discharges the virtual TCP dedicated network of at least relaying.

10. a home control network server (21), comprising:

-network interface component, it comprises input/output device (614),

-processor (612), and

-memory (613), it comprises computer program code,

It is characterized in that, described processor, described memory and described computer program code stored therein are configured to:

-in the described memory of described home control network server, store the network terminal formed by two network terminals of the Long-distance Control being used for assets to the identifying information of (42,42b, 62),

-from the described network terminal, (42,42b, 62) are received to the network route information determined by them,

-receive the right routing information request of its network terminal from first network terminal (42,42a),

-checking which serves as right another network terminal (61) of the predetermined network terminal of the described first network terminal of carrying out described routing information request, described first network terminal (42,42a) is only allowed to and second network terminal communication,

-described routing iinformation right for the described network terminal is sent to both described first network terminal (42,42a) and described second network terminal (61), if be all connected to data transmission network both them,

-receive the cyberspace information (42,42b, 61) used in conjunction with the described network terminal, and the cyberspace information be allowed to is sent to described home control network equipment (61), and

-when at least one direct VPN (virtual private network) (55) is established successfully between the described network terminal is to (42,42b, 61), be discharged into the described network terminal and the transfer of data of (42,42a, 61) is connected.

11. 1 kinds, for providing the method for home control network functions of the equipments, comprise and determine that, from home control network key devices (42,42b) to the routing iinformation of internet (2), it is characterized in that, described method also comprises:

-poll is sent to home control network server (21) every now and then, wherein said home control network server is asked home control devices (61) and whether is connected to data transmission network, described home control network key devices (42,42b) form predetermined terminal pair with home control devices (61), the right member of described predetermined terminal be allowed to only with communicate with one another, if and described home control devices is connected to described data transmission network, then:

-connect (201) to described home control network server (21) and from described home control network server (21) request (204) described home control network equipment (61) routing iinformation to be established to the VPN (virtual private network) of described home control network equipment (61)

-the described routing iinformation of described home control network equipment (61) is received from described home control network server (21), and

-use the some known method for building up starting end opposite end transfer of data establishment of connection process of VPN (virtual private network) to provide at least one VPN (virtual private network) (55) with described home control network equipment (61).

12. methods as claimed in claim 11, it is characterized in that, it also comprises: set up VPN (virtual private network) and connect (2060 as the direct tcp data transmission to described home control network equipment (61), 2060a), set up VPN (virtual private network) and connect (2061 as the direct UDP message transmission to described home control network equipment (61), 2061a), by using udp port scanning (2062, 2062a) set up the VPN (virtual private network) with described home control network equipment (61), by utilizing the ICMPECHO message (2063 of IP control protocol, 2063a) set up the VPN (virtual private network) with described home control network equipment (61), or set up the tcp data transmission connection (2064 being relayed to described home control network equipment (61) via described home control network server (21), 2064a).

13. methods as claimed in claim 12, it is characterized in that, it also comprises: if also use the other method setting up VPN (virtual private network) to establish described VPN (virtual private network) (55), discharge the virtual TCP dedicated network of at least relaying.

14. 1 kinds, for providing the method for home control network functions of the equipments, comprise and determine that, from home control network equipment (61) to the routing iinformation of internet (2), it is characterized in that, described method also comprises:

-poll is sent to home control network server (21) every now and then, wherein said home control network server is asked home control key (42,42b) whether be connected to data transmission network, described home control network equipment (61) and described home control key form predetermined terminal pair, the right member of described predetermined terminal be allowed to only with communicate with one another, if and described home control key is connected to described data transmission network, then:

-connect (201) to ask described home control network key devices (42 to described home control network server (21) from described home control network server (21), routing iinformation 42b) is to be established to described home control network key devices (42, VPN (virtual private network) 42b)

-the described routing iinformation of described home control network key devices (42,42b) is received from described home control network server (21), and

-use the some known method for building up starting end opposite end transfer of data establishment of connection process of VPN (virtual private network) to provide at least one VPN (virtual private network) (55) with described home control network key devices (42,42b).

15. methods as claimed in claim 14, it is characterized in that, it also comprises: set up VPN (virtual private network) as arriving described home control network key devices (42, direct tcp data transmission 42b) connects (2060, 2060a), set up VPN (virtual private network) as arriving described home control network key devices (42, direct UDP message transmission 42b) connects (2061, 2061a), by using udp port scanning (2062, 2062a) set up and described home control network key devices (42, VPN (virtual private network) 42b), by utilizing the ICMPECHO message (2063 of IP control protocol, 2063a) set up and described home control network key devices (42, VPN (virtual private network) 42b), or foundation is relayed to described home control network key devices (42 via described home control network server (21), tcp data transmission 42b) connects (2064, 2064a).

16. methods as claimed in claim 15, it is characterized in that, it also comprises: if also use the other method setting up VPN (virtual private network) to establish described VPN (virtual private network) (55), discharge the virtual TCP dedicated network of at least relaying.